ICSA-25-219-02
·
Published 2025-12-04
·
View on CISA ICS-CERT ↗
Johnson Controls FX Server, FX80 and FX90 (Update A)
CVSS 7.7
HIGH
Risk Summary
Successful exploitation of this vulnerability could allow an attacker to compromise the device's configuration files.
CVEs (1)
Remediations
- Johnson Controls recommends users update to the latest version. Successful exploitation of CVE-2025-43867 could trigger CVEs CVE-2025-3936 through CVE-2025-3945.
- For systems running version 14.10.10 or earlier versions, apply the 14.10.11 patch from the software portal.
- For systems running version 14.14.1 or earlier versions, apply the 14.14.2 patch from the software portal.
- Note: FX 14.10.10 contains Niagara 4.10u10
- Note: FX 14.14.1 contains Niagara 4.14u1
- Login credentials are required to access the software portal.
- **For more detailed mitigation instructions, visit Johnson Controls Product Security Advisory JCI-PSA-2025-09 v2
Affected Vendors
Johnson Controls Inc.
Affected Products (6)
Johnson Controls Inc.
·
FX80
<=FX_14.10.10
Johnson Controls Inc.
·
FX80
<=FX_14.14.1
Johnson Controls Inc.
·
FX90
<=FX_14.10.10
Johnson Controls Inc.
·
FX90
<=FX_14.14.1
Johnson Controls Inc.
·
FX Server
<=FX_14.10.10
Johnson Controls Inc.
·
FX Server
<=FX_14.14.1
Affected Sectors
Critical Manufacturing, Commercial Facilities, Government Services and Facilities, Transportation Systems, Energy
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more